Cloud computing has likely reached the market adoption acceleration point signaling a period of dramatic growth of this transformational operating model for enterprise information infrastructure. Cloud computing will expand from its base of software services to infrastructure services hosting core business operations and data. The confluence of experience and success with software cloud services, extreme budgetary pressures, dramatic new infrastructure service offerings, and enhanced security and disaster recovery concern is large companies and government agencies to increase the role cloud services play in their business model. Cloud computing has likely reached the market adoption acceleration point signaling a period of dramatic growth of this transformational operating model for enterprise information infrastructure. Cloud computing will expand from its base of software services to infrastructure services hosting core business operations and data. The confluence of experience and success with software cloud services, extreme budgetary pressures, dramatic new infrastructure service offerings, and enhanced security and disaster recovery concern is large companies and government agencies to increase the role cloud services play in their business model. Market adoption of innovative technologies and processes follows a transition curve illustrated in Exhibit 1. Risk tolerant innovators and early adopters experiment with unproven new technologies and processes based on their assessment of potential returns. They prove the viability of the innovation and help improve its reliability and functionality by identifying weaknesses and defects. With viability and benefit demonstrated, more pragmatic and conservative organizations, representing the bulk of the market, become adopters rapidly accelerating installed base expansion. The cloud computing market has reached that acceleration point. This paper reviews cloud computing concepts, how the cloud computing market was established, cloud infrastructure service offerings that are the basis for accelerated market adoption, and cloud computing security. The discussion addresses reality verses hype, risks, and benefits. This paper is

Comments 0

Document transcript

AbstractCloud computing has likely reached the market adoption acceleration point signaling a period ofdramatic growth of this transformational operating model for enterprise informationinfrastructure. Cloud computing will expand from its base of software services to infrastructureservices hosting core business operations and data. The confluence of experience and success withsoftware cloud services, extreme budgetary pressures, dramatic new infrastructure serviceofferings, and enhanced security and disaster recovery concern is large companies and governmentagencies to increase the role cloud services play in their business model.IntroductionCloud computing has likely reached the market adoption accelerationpoint signaling a period of dramatic growth of this transformationaloperating model for enterprise information infrastructure. Cloudcomputing will expand from its base of software services toinfrastructure services hosting core business operations and data. Theconfluence of experience and success with software cloud services,extreme budgetary pressures, dramatic new infrastructure serviceofferings, and enhanced security and disaster recovery concern islarge companies and government agencies to increase the role cloudservices play in their business model.Market adoption of innovative technologies and processes follows atransition curve1illustrated in Exhibit 1. Risk tolerant innovators and early adopters experimentwith unproven new technologies and processes based on their assessment of potential returns.They prove the viability of the innovation and help improve its reliability and functionality byidentifying weaknesses and defects. With viability and benefit demonstrated, more pragmatic andconservative organizations, representing the bulk of the market, become adopters rapidlyaccelerating installed base expansion. The cloud computing market has reached that accelerationpoint.

not intended to survey all cloud offerings, nor all cloud providers, but to put the transition to cloudservices in a pragmatic context to aid in decision making. This paper focuses on enterpriseinfrastructure and not on individual consumer2services.Cloud computing conceptsAs with most information technology innovations cloud computingcreated a great deal of confusion as to its meaning and generatedenormous hype3about its benefits and risks. This confusion led theNational Institute of Standards and Technology (NIST) in September2011 to issue the following definition4of cloud computing:Cloud computing is a model for enabling ubiquitous,convenient, on-demand network access to a shared pool ofconfigurable computing resources (e.g., networks, servers, storage, applications, andservices) that can be rapidly provisioned and released with minimal management effort orservice provider interaction.In conjunction with this definition NIST defined three service models:Software as a Service (SaaS). The capability provided to the consumer is to use theprovider’s applications running on a cloud infrastructure.Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto thecloud infrastructure consumer-created or acquired applications created using programminglanguages, libraries, services, and tools supported by the provider.Infrastructure as a Service (IaaS). The capability provided to the consumer is to provisionprocessing, storage, networks, and other fundamental computing resources where theconsumer is able to deploy and run arbitrary software, which can include operating systemsand applications.NIST completed its definition with four deployment models:Private cloud. The cloud infrastructure is provisioned for exclusive use by a singleorganization comprising multiple consumers (e.g., business units).Community cloud. The cloud infrastructure is provisioned for exclusive use by a specificcommunity of consumers from organizations that have shared concerns.Public cloud. The cloud infrastructure is provisioned for open use by the general public.Hybrid cloud. The cloud infrastructure is a composition of two or more distinct cloudinfrastructures.Although the NIST definitions were intended for Federal Government agencies they are widely usedin the private sector. However, the distinction between platform as a service and infrastructure as aservice is often overlooked and both are often referred to as infrastructure as a service. Thedistinction between virtualization (a technology) and cloud (a service) is sufficiently vague that theterms are often used interchangeably.Cloud computing benefitsare only fully realized withpublic cloud serviceswhich are the subject ofthis paper. Cloud serviceprovider infrastructure isso large that, to theircustomers, the resourcesappear infinitely flexibleand inexhaustible.

OnPoint Consulting, Inc. Cloud Computing Acceleration Point

3

The U.S. Chief Information Officer’s (CIO) 25 Point Implementation Plan to Reform FederalInformation Technology Management5includes three points directly addressing cloud computing:1. Shift to a “Cloud First” policy: When evaluating options for new IT deployments, OMB willrequire that agencies default to cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists2. Stand-up contract vehicles for secure IaaS solutions: GSA will make a common set ofcontract vehicles for cloud-based Infrastructure-as-a-Service solutions availablegovernment-wide.3. Stand-up contract vehicles for commodity services: GSA will … stand up government-wide contract vehicles for cloud-based email solutions [and] … other back-end, cloud-basedsolutions.The 25 Point plan articulates three broad benefit areas which are further detailed in the U.S. CIO’sFederal Cloud Computing Strategy6:Economical: Cloud computing is a pay-as-you-go approach to IT, in which a low initialinvestment is required to begin, and additional investment is needed only as system useincreases.Flexible: IT departments that anticipate fluctuations in user demand no longer need toscramble for additional hardware and software. With cloud computing, they can add orsubtract capacity quickly and easily.Fast: Cloud computing eliminates long procurement and certification processes, whileproviding a near-limitless selection of services.These cloud computing benefits are only fully realized with public cloud services which are thesubject of this paper. Public cloud service providers (CSPs) initially established large informationtechnology infrastructures for their own use providing online services to millions of individualconsumers. Then they offered to expand their infrastructure for individual consumers andenterprise cloud computing. The key is that their infrastructure is so large (estimated at over amillion servers and an Exabyte7of data storage) that, to their customers, the resources appearinfinitely flexible and inexhaustible.Enterprises establishing a private cloud must continue to invest in information technologyinfrastructure. Pay-as-you-go is achievable at the component organization level through usage-based charge-back. The entire cost of the private cloud infrastructure is still absorbed at theenterprise level, just as in non-cloud environments.Enterprise private clouds can achieve economies by standardizing hardware platforms andoperating systems and by virtualizing the infrastructure to optimize usage. Many organizationsbuilt their infrastructure incrementally to serve component organization specific needs resulting insuboptimal usage levels as low as 5-10%. Virtualization, the underlying cloud technology, hasreduced infrastructure for some enterprises by factors close to ten.Private clouds can achieve flexibility and speed allowing component organizations to dynamicallyexpand and contract allocated capacity. However, the sum of concurrent demand from allOnPoint Consulting, Inc. Cloud Computing Acceleration Point

4

component organizations is limited by the enterprise installed infrastructure. The principaldifference between private and public clouds is the size of the infrastructure.How the cloud computing market was establishedThe cloud computing market was established primarily with email. Every enterprise is dependenton email for internal and external communications. Most enterprises manage internal emailsystems. Individual consumers have turned to email services provided either by their Internetservice provider or by free cloud email providers.Microsoft Hotmail, established in 1996, has been the cloud email leader with 360 million users as ofJuly 20118. Google Gmail, established in 2004, claims to have 425 million users9. Yahoo Mail,established in 1997, is reported to have 300 million users10. With over a billion individual users ofthese three cloud services, cloud based email came to be trusted as a reliable, available, capable,and secure software service.Cloud email providers leveraged their brands and infrastructure to offer cloud based email serviceto enterprises. At its I/O 2012 conference11, Google announced that 5 million businesses, 66 of thetop 100 universities, and government agencies in 45 states use Gmail as their enterprise emailplatform12. At the Federal level the National Atmospheric and OceanicAdministration13(NOAA) and General Services Administration14(GSA)also adopted Gmail.Two other well known cloud software service providers areServiceNow and Salesforce. ServiceNow provides cloud based softwareservice for help desk operations. In 2011 ServiceNow15reported threeyear growth rate of 1240%. ServiceNow market growth was aided bysignificantly lower price structure than its expensive key competitorsBMC Remedy and CA Unicenter.Salesforce provides cloud base customer relationship managementsoftware service. It provides all of the tools needed to enable corporate sales staff. Salesforcemaintains customer account lists and contacts, marketing leads, marketing materials (e.g.,presentations, brochures, data sheets), opportunity pipeline, quotes, sales process automation, andbusiness analytics and forecasting.These and many other similar functionally focused software service offerings established the cloudcomputing market. Cloud computing is no longer perceived as technology hype or a futuristicconcept. Enterprises are taking a serious look at cloud computing and evaluating the business caseand risks. Gartner projects16the enterprise public cloud computing market will grow 20% from $91billion in 2011 to $109 billion in 2012 while the overall information technology market will growonly 3%. The question causing the most angst for CIOs and other senior executives is if, when, andhow to leverage cloud infrastructure services.

Cloud infrastructure service offeringsInfrastructure as a service has been available in different forms sincethe 1960’s when time-sharing contracts offered access to mainframecomputers owned by service providers and operated in the serviceprovider’s data center. Many Federal agencies used time-sharingservices. In the 1990s infrastructure as a service was known asoutsourcing. An enterprise sold its information technology and evendata centers to a service provider who sold the time back to theenterprise on a usage basis.While many businesses eagerly adopted the outsourcing model toreduce infrastructure costs and focus executive attention on corecompetencies, few Federal Government agencies followed suit. Federalagencies did not want to depend on a commercial entity for theirinformation technology operations even though they were willing todepend on commercial entities for their telecommunications(telephone and wide area network). They simply did not trust that theoutsourcer would routinely provide them with the quality of servicenecessary for mission success.Federal agencies also faced the dilemma of how to re-compete outsourced information technologyservices. All outsourcing contracts have termination (unwind) clauses should the customer decideto switch outsourcers or insource the information technology. In the commercial world, theseclauses are rarely exercised. The outsourcer and customer work to resolve any issues and negotiatecompetitive prices. Contracts are routinely renewed on a sole source basis.The Federal Acquisition Regulation requires regular re-competition of contracts. Federal agenciespotentially face the daunting task of moving their entire information technology infrastructure to anew provider at each contract award. Aside from the complex task of having the new providerpurchase the entire infrastructure from the previous provider, risks associated with moving theenterprise infrastructure to the new provider’s data center made the commercial outsourcingmodel untenable for most Federal agencies.Twenty-first century infrastructure as a service has significantlyreduced the barriers to market adoption. The services offered byAmazon and Google illustrate characteristics of the current cloudinfrastructure service marketplace. Amazon, the largest Internetretailer17with $48 billion in 2011 sales, is also reported18to be thelargest cloud service provider with 2011 sales of Amazon Web Services estimated to be $6 billion.Amazon entered the cloud infrastructure services market in 200619.Google, the provider of a multitude of free Internet software services,announced full service entry into the cloud infrastructure servicesmarket on June 28, 201220. Google 2011 revenue21was $37.9 billion,primarily from advertising ($36.5 billion). Although six years behindAmazon, the strength of the Google brand, the quality of Google’sinfrastructure, and Google’s success dominating most of the markets it enters are harbingers oftheir role in this burgeoning market.Amazon and Google builtand operate enormousinformation technologyinfrastructures to powertheir operating models.With multiple data centersin six domestic and fiveforeign locations,estimates are that Googlehosts over one millionservers and one Exabyte ofdata storage. Amazonlikely has aninfrastructure at similarscale. Enterprise publiccloud customers now haveaccess to these massiveserver and storage farms.

OnPoint Consulting, Inc. Cloud Computing Acceleration Point

6

Amazon and Google built and operate enormous information technology infrastructures to powertheir operating models. Each company has dedicated data centers22located in the United States(Exhibit 2) and around the world. Neither company releases information about the size of theirinfrastructure. In a 2009 video23, Google showcased a new data center housing 45,000 servers. WithGoogle’s 30% annual growth rate and multiple data centers in six domestic locations and fiveforeign locations, estimates are that Google hosts over one million servers and one Exabyte of datastorage. Amazon likely has an infrastructure at similar scale. Enterprise public cloud customersnow have access to these massive server and storage farms.Amazon recognized that it had created an infrastructure of scale an order of magnitude or morelarger than most enterprises. Amazon also recognized that its brand as a successful Internet retailercould be leveraged to offer cloud infrastructure services. Google is now counting on its Internetservice brand in a similar manner.Amazon Simple Storage Service (Amazon S3) is storage for the Internet. Amazon Elastic ComputeCloud (Amazon EC2) is a web service that provides resizable compute capacity in the cloud.Amazon Elastic Block Store (EBS) provides block level storage volumes for use with Amazon EC2instances. Amazon Web Services comprise S3, EBS, EC2, and many additional cloud offerings.Figure 2: Amazon and Google data center locations

Google offers very similar services including Google Cloud Storage and Google Compute Engineunder the brand Google Cloud Platform. At its announcement of Compute Engine, Googledemonstrated24the power of its infrastructure with a client’s genome mapping calculation. Theclient’s in house infrastructure with 1000 servers was reported to complete one calculation in tenminutes. Google launched the calculation, allocated 600,000 cores in real time, and was able tocomplete multiple calculations per second.Amazon, Google, and many other CSPs’ services are ubiquitous in the sense that they are availablewherever one has an Internet connection and provide on-demand access to a shared pool ofconfigurable resources (storage, server, application). They align with the U.S. CIO’s definition offlexibility in that IT departments can add or subtract capacity quickly and easily.

Benefits and risks of public cloudcomputingIssuance of cloud computing contracts is likely to take as long as anyother Government procurement. However, once GSA issuesGovernment Wide Acquisition Contracts (GWAC) to CSPs, otheragencies will be able to obtain these services quickly.CSP services tend to be pay-as-you-go with low initial investment andadditional investment only as needed for agency system usagedemand. Whether this turns out to be economical for agenciesdepends on CSP pricing structure, internal cost structure forcomparable services, and how efficiently an agency uses CSP services.As an example, enterprise scale cloud storage pricing25isapproximately $1000/TB/year. This is approximately equal to thepurchase price of enterprise grade storage. Cloud storage serviceincludes multi-data center replicated storage26and includes allnetworking, data center management, and infrastructure management costs.Gartner reports27the average total cost of ownership for enterprise raw configured storage as$4876 with 50% of enterprises in the range $2200 - $6200/TB/year. For direct comparison of inhouse useable storage costs with cloud storage costs the Gartner number must be inflated28to$13,900/TB/year. For most enterprises, cloud storage offers significant cost benefits. If anenterprise moves their data to a CSP but maintains the empty floor space in their datacenter, theywill only realize a fraction of the apparent cost benefit. Similarly, subscribing to more cloudcomputing capacity than needed results in sub-optimal usage levels and excess cost.Adequate network bandwidth at the CSP and the customer locations, and response time of CSPstorage and processor systems are critical requirements for successful cloud computing operations.Google and Amazon published service level agreements29do not include bandwidth or responsetimes. The only service commitment they make is to availability, either 99.9% or 99.95% dependingon the service. Given the vast size of their infrastructure and exceptional response time toindividual customer requests it is likely that performance will not be an issue for enterprisecustomers.The U.S. CIO’s 25 Point Implementation Plan to Reform Federal Information Technology Managementdescribes experiences of two new Internet offerings to support the cloud first strategy: a privatesector web-based media production company that grew from 20,000 to 250,000 customers in threedays successfully scaling their infrastructure from 50 to 4000 virtual machines; the FederalGovernment’s Car Allowance and Rebate System (CARS, more commonly known as “Cash-For-Clunkers”) which failed when demand far exceeded projections. Google, as part of its ComputeEngine announcement, demonstrated the ability to scale in real time to 600,000 cores for a client’scomputational problem.These examples demonstrate a clear benefit of CSP offerings. However, the benefit applies only to avery small market segment. Relatively few enterprises experience order of magnitude growthspurts in a few days and even fewer have short term computation problems requiring hundreds ofthousands of cores for short durations. Most enterprises have relatively steady or slowly growingPublic cloud computinginfrastructure services offerthe potential for lower cost,flexibility to meet short orlong term workload,support for continuity ofoperations, highavailability, and exceptionalpower usage effectiveness.

The most significant benefitmay be relieving seniorexecutives of the burdensassociated with managingin house infrastructureenabling them to increasefocus on the enterprise coremission.

OnPoint Consulting, Inc. Cloud Computing Acceleration Point

8

compute and storage workloads with daily or weekly cycles. Enterprises launching a newinformation technology service on the Internet or to a supplier or customer network may wellbenefit from the flexibility to rapidly scale infrastructure CSPs offer. For most enterprises this is apotential benefit that will rarely if ever be realized.A significant benefit of cloud computing mentioned briefly in the Federal Cloud Computing Strategyis in continuity of operations (COOP). Cloud storage services include data replication ensuring thatthe loss of a single data center does not result in loss of persistent data. CSPs with adequate servercapacity enable computational workload to shift from a non-operational data center to anoperational data center. However, as the Amazon outages discussed later demonstrate, the loss of aCSP data center will impact customers until capacity is restored or transferred. Enterprisesleveraging cloud computing still need to address how they will transfer load and all other aspects ofCOOP planning including staff, facilities, networks, and other mission specific needs.Moving enterprise application processing to public cloud infrastructure requires softwarecompatibility with the CSP environment. Google Compute Engine30offers Ubuntu and CentOs Linuxoperating systems. Amazon Elastic Compute Cloud31offers SUSE and Red Had Linux in addition toMicrosoft Windows operating systems.One of the challenges32facing all data center operators is managing energy costs and collateralenvironmental impact. Many data centers’ power usage effectiveness33(PUE = total facility power /information technology equipment power34) exceeds 2.5 implying 2.5 kW of power are consumedby the facility for each 1 kW of power consumed by the information technology equipment.The Uptime Institute 2012 survey35found an average PUE of 1.8 to 1.89 with 9% of responses from1,100 data center owners and operators reporting PUE ≥ 2.5. Industry averages are likely higherthan 1.89 because of the selective survey population and the 29% of responders in the survey thatdo not measure PUE.Amazon has achieved36PUE = 1.45 in its data centers. Google, with somewhat newer data centers,has achieved37PUE = 1.13. Enterprises leveraging cloud services benefit from lower power costsand environmental footprint.Public cloud computing infrastructure services offer the potential for lower cost, flexibility to meetshort or long term workload, support for continuity of operations, high availability, and exceptionalpower usage effectiveness. The most significant benefit may be relieving senior executives of theburdens associated with managing in house infrastructure enabling them to increase focus on theenterprise core mission. Migrating to a reliable and capable CSP comes with limited risks associatedprimarily with performance and compatibility.

OnPoint Consulting, Inc. Cloud Computing Acceleration Point

9

Security and cloud computingSecurity continues to be a concern impeding adoption of public cloudcomputing because conventions have not yet been developed for theappropriate level and form of security testing of cloud providers’technology38. The Uptime Institute 2012 survey39found securityconcerns were an impediment for 64% of respondents.The security certification and accreditation process40necessary toobtain authorization to operate (ATO) has been a long standing barrierto Government adoption of public cloud computing services. TheGovernment is working to dramatically lower this barrier with theFederal Risk and Authorization Management Program (FedRAMP)41.FedRAMP is a government-wide program that provides a standardizedapproach to security assessment, authorization, and continuousmonitoring for cloud products and services. This approach uses a “doonce, use many times” framework that will save cost, time, and staffrequired to conduct redundant agency security assessments.The purpose of FedRAMP is to:• Ensure that cloud based services used government-wide have adequate information security;• Eliminate duplication of effort and reduce risk management costs; and• Enable rapid and cost-effective procurement of information systems/services for Federalagencies. …A CSP follows the process for a provisional authorization under FedRAMP and uses a 3PAO [thirdparty assessor] to assess and review their security control implementations. CSPs then providedocumentation of the test results in a completed assessment package to the FedRAMP PMO[Program Management Office]. The security package is then reviewed by the JAB [JointAuthorization Board] and if a CSP system presents an acceptable level of risk, a provisionalAuthorization [to Operate] is granted. Agencies can then leverage the Provisional ATO and granttheir own ATO without conducting duplicative assessments.In the early days of cloud computing, concerns were raised that the virtualized environment wouldenable users to penetrate the domains of other users in the cloud. These fears do not appear to havebeen realized. Google Gmail security breaches have made headlines when accounts of high profileusers42were hacked. These breaches all appear related to weak passwords and security questionsused by account owners and not to flaws in Gmail security controls43.Amazon suffered two recent major data center outages44, one each in 2011 and 2012, that resultedin user service interruptions. More recently, a Yahoo.com security breach45compromisedthousands of user account passwords.These incidents should not deter enterprises from leveraging public cloud computing. They justillustrate that no one has perfect security and enterprises leveraging cloud computing mustmaintain security vigilance, plan for security breaches, and train all employees on best practices toavoid vulnerabilities. CSP security is likely neither a risk nor a benefit for enterprises thatimplement best practice security for their in house systems. For organizations concerned aboutNo one has perfectsecurity and enterprisesleveraging cloudcomputing must maintainsecurity vigilance, plan forsecurity breaches, andtrain all employees on bestpractices to avoidvulnerabilities. CSPsecurity is likely neither arisk nor a benefit forenterprises thatimplement best practicesecurity for their in housesystems.